2 Replies Latest reply on Apr 4, 2014 7:51 PM by Hayton

    Ransomware - Trojan W32/CryptoDefense Not Mentioned by McAfee??

    patstirrer

      I can find no mention of the Cryptodefense RansomwareTrojan

      Trojan:Win32/CryptoDefense.A

       

      Please update Threat Intelligence and information.

      Are we protected by McAfee and which DAT?

        • 1. Re: Ransomware - Trojan W32/CryptoDefense Not Mentioned by McAfee??
          Peter M

          Antivirus applications only have limited defense against these things, which are only activated by some action by the user.

           

          Read here for some excellent guidelines on this particular one:  http://www.bleepingcomputer.com/virus-removal/cryptodefense-ransomware-informati on

           

          When something like this hits you best action is to immediately power off without clicking any keys or touching your mouse.

           

          See the last link my signature below for more hints.

           

          .

           

          Message was edited by: Ex_Brit on 03/04/14 8:24:54 EDT PM
          • 2. Re: Ransomware - Trojan W32/CryptoDefense Not Mentioned by McAfee??
            Hayton

            This variant was only identified and published today by Microsoft

             

            Alert level: Severe

            Detected by definition: 1.169.1618.0 and higher

            First detected on: Apr 03, 2014

            This entry was first published on: Apr 03, 2014

             

             

            McAfee haven't yet published anything about it but - especially as it has been referenced here - they will do very soon.

             

            CryptoDefense has been around since February but the original version had an embarrassing (for the authors) flaw : they left the decryption key in plain view on the infected systems' hard drives -

             

            Whoever coded this made the rookie mistake of storing the decryption key in plain view – that's right, the private key is stored unencrypted on the PC's hard disk. Even though the generated private keys are uploaded to the crooks' server, allowing the crims to send the keys to victims who pay up, a copy is left on the drive by the software.

             

            As this has been widely publicised I would guess that the latest variant is a patch rushed out to fix that little oversight.

             

             

            Edit - BleepingComputer have made public the existence of the decryption key. They imply that the key is only present for systems infected before April 1st.

             

            If your computer has been infected with CryptoDefense there may be a chance to restore your files. Fabian Wosar of Emsisoft discovered a method that allows you to decrypt your files if you were infected before April 1st 2014. Unfortunately, this only works for 50% of the infection cases but still provides a good chance of getting your files back.

            For instructions on how to do this, please read this section:

            How to decrypt files encrypted by CryptoDefense

             

            Message was edited by: Hayton on 05/04/14 01:51:58 IST